Slashdot Mirror
Storm Worm Botnet "Cracked Wide Open"
Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'
They should just publish their code. Let the individual hackers decide what to do with it...
Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.
Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn't have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server. The latter could then issue commands to the test Storm worm drones in the laboratory so that, for example, they downloaded a specific program from a server, perhaps a special cleaning program, and ran it. The students then went on to write such a program.
Seems like the method involves the server communicating with the client - which could be considered "hacking" and thus be problematic.
Especially here in Germany where even possessing nmap is a crime.
Vigilantism is the result of when the government cannot protect the citizen from something that it's reasonable to believe they should be protected from. It's usually due to the problem of balance between making things illegal and restricting reasonable fredom.
But in this case it's more toward the issue of the problem not being within the government's charter, or that the government simply does not have the structure (laws, with teeth) required to protect the citizen.
I'm not a fan of vigilantism in general, but there are times when I approve of it. I'd personally love it if someone would infiltrate the botnets and inject a command to brick (but not erase) every computer that's infected, as a measure to protect millions of innocent people.
Imagine the city you live in, where 15% of the cars parked on the curbs have the keys in the ignition. And there's a growing problem in the city of kids going on joy rides and trashing cars and property and even killing people. But the car owners don't want to bother with the problem and don't care unless their car gets trashed, and don't wany anyone telling them what to do with their car. I'd lead the effort to walk the blocks, looking for cars with keys in the ignition, and hiding them somewhere in their car. Don't like it? Quit leaving your keys in the ignition. yes, it may violate a right of yours, but by your extending your liberty it's violating the rights of others to a larger degree.
I work for the Department of Redundancy Department.
Yeah, but it's an international problem. A guy from F-secure in Finland has been calling for the formation of an "internetpol" for exactly these reasons. I think he's right because otherwise international net crime will continue unabated, since nobody is in charge of combating it. An international body designed to coordinate .crime policing efforts is sorely needed.
I have mod points. The reign of terror begins now.
I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?
Remove the zombies in your country and the zombie problem is pretty much solved.
But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.
What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?
It seems to me that a computer participating in a botnet is already a threat to the public. If "cleaning gone wrong" fouls a computer that's already infected, that's really just 'collateral damage'. If it happens to be a hospitals computers, well, I'd say the real problem was the hospital trusting critical infra-structure to software that's insecure. If a hospital is really dumb enough to put infra-structure that could harm someones life on a network connected to the internet, I'd say that's criminal negligence.
I really do think we've hit the point where the people with the vulnerable computers need to start taking SOME of the blame here and stop acting as if they're all just innocent bystanders. There's certainly plenty of blame to go around. (Oh, and the software producers can sure take some of the blame as well).
AccountKiller
Yeah, but if you do that then the botnet will be patched against the specific takedown code before it makes it through congressional committee.
What probably should happen is that some major world government (US, EU?) should decide that the botnet is a major headache and a threat to national security. Then the info warfare devision of the military would prepare a suitable script that would only disable the bots (perhaps installing a security patch on the way out to prevent reinfection).
Then they just do it. The operation would be classified and launched in a way that would be extremely difficult to trace.
All the pundits on the internet would cry about how horrible an action it was (though nobody would complain about the 95% reduction in spam). However, everybody would blame their favorite love-to-hate government (China, the US, France, whatever :)), while the folks in on the classified operation in the Netherlands laugh every time they get to work. And if by some miracle somebody actually figures out where it came from (large governments could just inject packets on any random telecom line, and even route them through tor if they want), what is anybody going to do about it? Launch a war on Belgium for ridding the world of spam? Levy economic sanctions for saving every company with an email server millions every year.
Big governments kill people all the time in the interest of public safety and security. What's the worse that could happen - a few million home PCs lock up from a poorly-designed script? That could already happen any day if one of Storm's owners makes a mistake.
I'm not big on government trespass on private property. However, if somebody's row home catches on fire and the owner refuses to let in those responsible for putting out the fire, then the police will simply put them in cuffs and let the firemen axe open the door. They might not do it for a single family home, but they'd not let a block go up in flames because some guy refused to cooperate.
If you want to be really nice about it then just put a public service annocement on TV stating that in the coming month the government is going to wipe out the Storm botnet, and that anybody who doesn't like the idea of having the government clean up their PC should opt out by removing their computer from the botnet in the next seven days...
I know it's terrible form to reply to one's own post, but let me just come out and suggest it:
A collaborative, and perfectly anonymous or pseudonymous code project.
Wicherski, Werner, Leder and SchlÃsser must be protected from punishment for their fine work for the good of humanity. So, informed by their disclosures, I say an open source counter-worm ought to be developed from scratch. To protect those working on it, the collaboration model would have to be a little bit 4channy.
The downside to anonymity (As our good friend the Obama/Library/Poop guy shows us) is that it means people don't have to act accountably. There would probably be tons of ebil coders, seeing a wide-deployment worm accepting code contributions, trying to sneak their own obfuscated backdoors into the code.
But the upside to a system like this is transparency. There are still plenty of eyes on the code, and plenty of coders to call shenanigans on one another.
Whadda ya say?
DRM: Terminator crops for your mind!